/
Bria IM LDAP and AD Authentication Hack

 

Bria IM LDAP and AD Authentication Hack

Owned by Former user (Deleted)
Last updated: May 24, 2013Version comment

May 24, 2013: Works with update 6. Added two 'sleep 2' statements, which seems to stop the occasional 0-byte .ini file problem.

These instructions have been updated for 4.6 update 5.

sipXecs allows for LDAP (or AD -- Microsoft Active Directory) authentication. In the current version of sipXecs 4.6 however, for a user's IM (Openfire) account, the Bria phone provisioning subsystem provides the password entered in the Web UI. The user may override once logged in to Bria, but the next time the provisioning system will overwrite this. In order for the Bria client to use LDAP instead to authenticate the IM account, we need to delete the line in the provisioning file setting this password. The first time logging in, Bria will tell the user that their IM account is not working, the user may enter their correct LDAP or AD password, and on subsequent logins the user will not be asked again (until their password changes).

 If you set things to use LDAP only, you will need to tell the users to use username & password as follows:

  1. Phone voice mail menu: PIN only
  2. Web Portal: UserID, with LDAP password (note that the UI says PIN, and this confuses end-users no end... you'll have to tell them umpteen times, and remain patient)
  3. IM: UserID, with LDAP password
  4. Bria provisioning: Extension, with LDAP password (only from 4. 6 update 5 onwards) Note: do not use UserID, use Extension,
  5. SIP account: for Bria, provisioned; for Jitsi etc., ask your administrator for the SIP password
  6. I have not been able to figure out how the login to the AgentUI for ACD is configured – I usually can't login to it, I don't think that ACD is ready for production purposes yet.

For item (4) above, note that you must use Extension – if you use UserID you do login, but provisioning does not happen properly (at least not for me). You have to use the Extension! Perhaps this will be addressed in a future release, since it seems to be a design bug. Also, it would be nice if in the future softphones could use the LDAP password instead of the SIP password (5) (the current setup does makes sense for hardphones).

To make using IM in Bria easier we can delete the wrongly-provisioned IM password; anytime a .ini file is created or modified (in the Web-UI’s terms ‘Send Profile’), we can use incron and a batch file. Follow the instructions below. I'm not a Unix nor am I a sipXecs expert, so if you feel you can improve the instructions below or the whole method, please do!

First, ensure there are existing Bria provisioning files to test with later, so from the Web GUI Send Profile for a couple of Bria phones. Then run:

cat /var/sipxdata/configserver/phone/profile/tftproot/*.ini | grep proxy1:password

This should output a list of the passwords used for IM in the provisioned Bria phones’ files.

yum install incron –y
vi /etc/incron.conf

Modify the last line by uncommenting and changing to vi:

editor = vi

and save.

Create a batch for the root user:

vi /usr/local/sbin/bria-im-pw-rem
And copy/paste the following lines:
#! /bin/bash
# Bria IM password remove
# Run from incrontab
if [[ $1 == *".ini" ]]; then
  sleep 2
  sed -i '/proxies:proxy1:password=/d' /var/sipxdata/configserver/phone/profile/tftproot/$1
  sleep 2
fi

Make this file executable:

chmod +x /usr/local/sbin/bria-im-pw-rem

Now edit the incrontab file:

incrontab –e

copy/paste the following line:

/var/sipxdata/configserver/phone/profile/tftproot IN_MODIFY,IN_CREATE /usr/local/sbin/bria-im-pw-rem $#

and save.

service incrond start

And to ensure it starts after a reboot:

chkconfig incrond on

Finally, you should test that it all works. As before you started the install of incrond, the following command should give an output of lines with passwords:

cat /var/sipxdata/configserver/phone/profile/tftproot/*.ini | grep proxy1:password

Now go to the Web UI, and do a Send Profile for all the Bria phones. Wait until the job has run, and then run the command again. It should now return nothing.

Note that users will on first login get an error message in Bria, and whenever they change their LDAP/AD password, they need to provide their new changed password in Bria.